In a classic story of “it’s never over until it’s over,” cybersecurity David LabMD challenged the FTC’s Goliathan ability to issue sweeping orders in relation to security concerns under Section 5(a) of the Federal Trade Commission Act. LabMD had lost its challenge of the FTC’s underlying authority to issue such orders, but continued in its fight, ultimately challenging the wording of the FTC’s form order itself. And LabMD ultimately won in a landmark decision that can be found here.
States have been following a parallel enforcement track to the FTC, issuing their own orders under their Unfair and Deceptive Acts and Practices (“UDAP”) acts, otherwise known as “little FTC” acts. The states, however, may have already created a way for the FTC to have its cake and eat it too in light of the 11th Circuit’s decision: be more specific in its enforcement orders, and perhaps limit their temporal scope. HSE Privacy and Data Security chair, F. Paul Greene, and team member Daniel J. Altieri, discuss these developments in detail in the New York Law Journal article linked below.